b'                          OFFICE OF THE INSPECTOR GENERAL\n                          CORPORATION FOR NATIONAL AND\n                                COMMUNITY SERVICE\n\n\n\n\n                                         Review of\n                     The Corporation for National and Community Service\'s\n                              System Development Life Cycle\n                             OIG Audit Report Number 0 1-35\n                                    December 11,2000\n\n\n\n\n                                            Prepared by:\n\n                                          KPMG, LLP\n                                       2001 M Street, NW\n                                      Washington, DC 20036\n\n\n\n                     Under Corporation for National and Community Service\n                                  Office of the Inspector General\n                                 Purchase Order # 200008020002\n                    General Services Administration Contract # GS-23F-8 127H\n\n\n\nThis report was issued to Corporation management on May 25, 2001. Under the laws and regulations\ngoverning audit follow up, the Corporation must make final management decisions on the report\'s findings\nand recommendations no later than November 23, 2001, and complete its corrective actions by May 25,\n2002. Consequently, the reported findings do not necessarily represent the final resolution of the issues\npresented.\n\x0c                                                                                    CORPORATION\n                            Office of Inspector General                              FOR NATIONAL\n                  Corporation for National and Community Service\n                                                                                     SERVICE\n         Review of the Corporation for National and Community Service\'s\n                         System Development Life Cycle\n                        OIG Audit Report Number 01-35\n\n\n\nThe Corporation has installed several new computer applications and system upgrades in\nrecent years and continues with plans to develop and install additional major applications\nand systems. In accordance with our fiscal year 2001 audit plan for review of the\nCorporation\'s systems, CNS OIG engaged KPMG, LLP to assess the Corporation\'s\nStructured Systems Development Life Cycle (SSDLC) methodology. Their report\nconcludes that the Corporation\'s methodology provides a good approach to system\ndevelopment, but recommends improvements in three areas - goals of the policy,\nminimum requirements, and the review of development documents as refinements are\nmade to the system.\n\nCNS OIG participated in the planning of this engagement and reviewed the report, with\nwhich we concur, and the work papers supporting its conclusions. We provided copies of\nthe findings and a draft of this report for the Corporation management\'s review and\ncomment.\n\nIn its response to the report (Appendix B), the Corporation agreed with certain of\nKPMG\'s recommendations. The Corporation\'s Chief Information Officer indicated that\nCNS would incorporate a requirement for a formal test plan and a formal review of CNS\nsystems during their operational life. However, he stated that he does not plan to\nincorporate detailed guidance as to what those plans and reviews will encompass because\nthe Corporation wanted the guidance to be usable by all Corporation staff for all systems\nlarge and small.\n\n\n\n\n                                                                                Inspector General\n                                                                                1201 New York Avenue, NW\n                                                                                Washington, I)C 20525\n\x0c                                             Review of\n                        The Corporation for National and Community Service\'s\n                                  System Development Life Cycle\n                                          Table of Contents\n\n\n\n\nRESULTS IN BRIEF ..........................................................................................................\n                                                                                                                       1\n\nPROJECT OBJECTIVE .....................................................................................................\n                                                                                                                    3\n\nMETHODOLOGY .............................................................................................................\n                                                                                                                     3\n\nTHE CORPORATION FOR NATIONAL AND COMMUNITY SERVICE\nSTRUCTURED SYSTEMS DEVELOPMENT LIFE-CYCLE METHODOLOGY......... 5\n\nCORPORATION SSDLC METHODOLOGY V. NIST SP 500-153 ................................6\n   GENERAL   DIFFERENCES ...................................................................................................6\n   PHASE-BY-PHASE    COMPARISON       ......................................................................................\n                                                                                                                          7\n     Conceptual Design Phase (SSDLC) v Initiation Phase (NIST) ..................................8\n     Planning Phase (SSDLC) v Definition Phase (NIST).................................................9\n     Development Phase (SSDLC) v System Design Phase (NIST) ................................. 10\n     Implementation Phase (SSDLC) v Programming and Training Phase (NIST) ........ 11\n     Post Implementation and Systems Support Phase (SSDLC) v Evaluation and\n     Acceptance Phase NIST)...........................................................................................  12\n     Installation and Operation........................................................................................13\nMOMENTUM AND WBRS APPLICATION DEVELOPMENT METHODOLOGY\nREVIEW ...........................................................................................................................\n                                                                                                                              14\n\nSUMMARY OF NOTIFICATION OF FINDINGS .........................................................\n                                                                                           15\n\n           NOTIFICATION OF FINDINGS .......................................................\nAPPENDIX A .                                                                             A- 1\n\nAPPENDIX B .CORPORATION RESPONSES TO THE DRAFT ............................B-1\n\x0cDecember 11,2000\n\nInspector General\nCorporation for National and Community Service:\n\nAt your request, KPMG, LLP (KPMG) performed a Software Development Life Cycle\n(SDLC) Review on the Corporation for National Service\'s (the Corporation) Structured\nSystems Development Life-Cycle (SSDLC) Methodology. The primary purpose of this\nreview was to:\n\n       Assess the adequacy of policy and procedures over the SSDLC as applied by the\n       Corporation\n       Assess how the Corporation\'s SSDLC methodology compares to the guidance set\n       forth by the National Institute of Standards and Technology (NIST).\n\n\nResults in Brief\n\nThe Corporation\'s SSDLC methodology provides a good approach to system development,\nhowever we found areas where improvement would be beneficial for clarity and efficient\nexecution of the policies. The Corporation developed a SDLC methodology in Fiscal Year\n2000. The Policy is called a Structured Systems Development Life Cycle (SSDLC) Plan.\nOverall, the SSDLC is a sound document. However, it is limited in stated policies and\nprocedures. While the Corporation tries to place fewer requirements in their plan to allow for\nflexibility, increased structure is needed. KPMG\'s recommendations include:\n\n       In the Corporation\'s SSDLC methodology, there is no statement of the goals of the\n       policy, no enforcement mechanism, and no statement of consequences if the policy is\n       not followed.\n\n       We recommend making the existing purpose statement for the SSDLC more specific.\n       State specific policy goals, document enforcement mechanisms, and consequences for\n       not following the policy, and add documentation references for further guidance.\n\n       A stated goal of the Corporation\'s SSDLC methodology is to provide guidance in\n       producing methodologies specific to the development of applications. This approach is\n       very accommodating, but the policy lacks specific minimum requirements and\n       provides no uniformity to the application development process. The guidance provided\n       is not enough to ensure that the coverage for software development will be adequate.\n       Also, the guidance is vague regarding the process of approving the various\n                                          Page 1\n\x0cdeliverables.\n\nSpecifically missing is a requirement for a Risk Analysis, a System Decision Paper,\nand a formal Test Plan in the Corporation\'s SSDLC methodology. In addition, the\nPlanning Phase of the SSDLC does not explicitly address the incorporation of\ncontrols, audit capabilities, and security measures.\n\nKPMG recommends the issue of insufficient guidance be addressed by providing\nappropriate references either to internal guidance (e.g., sample formats, output from\nprevious developments) or external documents (e.g., NIST SP 500-153).\n\nAlso, require a statement of compliance that describes how the SSDLC will be applied\nto a specific development. This statement should be brief and concise, perhaps a one\nor two-page form that provides pre-defined options for each phase and space for\ncomments and rationale for exceptions. This should be reviewed and approved prior to\ninitiating procurement or authorizing an in-house development effort. Accordingly, an\napproval process for specific SSDLC Methodologies and other deliverables should be\nestablished.\n\nA high-level Risk Analysis should be required within the Project Plan prepared during\nthe Conceptual Design Phase.\n\nThe WorkProject Plan should address the rationale for selecting the design approach\nchosen for the application.\n\nThe System Design delivered as part of the Planning Phase should explicitly address\ncontrols, audit capabilities, and security.\n\nThe security and internal controls of every application should be part of the Detailed\nSystem Design. A formal Test Plan should be provided along with the tests and test\ndata.\n\nThe Corporation\'s SSDLC considers that most development documents are complete\nduring the beginning phases of the SSDLC. The SSDLC does not have a requirement\nto re-visit these documents as refinements are made to the system.\n\nWe recommend an Evaluation and Acceptance Phase, similar to that described in SP\n500-153, be added after the Implementation Phase. During this new phase the Detail\nSystem Design, the Audit Plan, all manuals and training materials should be reviewed\nand updated. Just like the Evaluation and Acceptance Phase in the NIST SP 500-153,\nthis new Phase should include an analysis of all test results, a security review, and all\nnecessary sign-offs for the transition to and operation of the new application.\n\n\n\n                                    Page 2\n\x0cKPMG also found that even though the development of the Momentum and WBRS\napplications predates the Corporation\'s SSDLC policy and that the Momentum\nimplementation is based on a commercial-off-the-shelf (COTS) product, the process followed\nduring their development and implementation is consistent with the SSDLC methodology\ndesigned by the Corporation.\n\n\n\nProject Objective\n\nThe objective of this review was to assess the Corporation\'s SSDLC methodology to\ndetermine the adequacy of policy and procedures over the SDLC as applied by the\nCorporation. In addition, KPMG was to determine, through comparison, how the\nCorporation\'s SSDLC compares to the SDLC guidance set forth by the National Institute of\nStandards and Technology\'s (NIST) Special Publication (SP) 500-153.\n\n\nMethodology\n\nIn conducting the review, we were guided by the provisions of NIST Special Publication 500-\n153, Guide to Auditing for Controls and Security: A System Development Life Cycle\nApproach ( S P 500-153). Using this publication, we evaluated the Corporation\'s SSDLC\nmethodology and the way it might have been applied to the development of Momentum and\nWeb Based Reporting System (WBRS) applications. To make that judgment, KPMG\nrequested and reviewed documentation relating to the various phases as described in the\nCorporation SSDLC. We also examined\n\n       the similarities and differences between SP 500-153 and the Corporation SSDLC;\n       the changes in system development approaches since the publication of SP 500-153;\n       applicability of both SDLC methodologies; and\n       the Corporation\'s goals.\n\nKPMG considered the fact that the development of both applications predated the Corporation\npolicy regarding the SSDLC. It also noted that Momentum is a COTS package and WBRS\nwas developed by an outside third-party under contract to CNS thereby limiting the\nCorporation\'s involvement in the life cycle of the applications.\n\nThis report documents a phase-by-phase analysis of the coverage of the Corporation SSDLC.\nThe report also provides a comparison summary, a table indicating the documentation\nobtained for each phase, observations, and recommendations.\n\nOur procedures were performed in accordance with Government Auditing Standards for\nperformance audits as issued by the Comptroller General of the United States.\n\n                                         Page 3\n\x0cThe Corporation\'s response to the SDLC review is included in Appendix B. The Corporation\nreferred to the recommendations in this report as useful and agreed to make roles,\nresponsibilities, and expectations more explicit in the SDLC. They will incorporate a\nrequirement for a formal test plan and for a formal review of the system during its operational\nlife. However, they do not plan to provide detailed guidance as to what those plans and\nreviews will encompass.\n\n\n\n\n                                           Page 4\n\x0cThe Corporation for National and Community Service Structured Systems Development\nLife-Cycle Methodology\n\nThe Corporation\'s SSDLC methodology is documented in OIT Policy 378 effective April 27,\n2000. It was implemented as a policy. Its stated purpose is to "describe a structured\napproachfor systems development JFomsystems planning and design through implementation\nand support." This policy describes the methodology as a series of steps that can be followed\nto build systems faster, at lower cost, and with less risk. Furthermore, the policy mandates\nthat the Corporation will use the policy as a guideline.\n\nThe fact that this SSDLC was issued as a "policy" seems to indicate that the Corporation\nwants to establish a uniform approach to system development. However, the documented\nexpectations are vague. It seems that this process is not to be strictly maintained as long as\nthe general approach of the SSDLC Plan is followed. While this approach is very\naccommodating, it results in a policy and related procedures that do not address the specifics\nnecessary to adhere to the SSDLC. The policy lacks detail and is not sufficient as stand-alone\nguidance in developing specific processes. The SSDLC\'s criteria for declaring a particular\nmethodology compliant or non-compliant are ambiguous. No statements regarding the\nenforcement mechanism and/or the consequences of not following the policy are made.\n\nThe weak areas could be strengthened by adding the following:\n\n       Appropriate documentation references as additional guidance,\n       Specific background information to the goals for each phase leaving less to\n       interpretation,\n       Minimal requirements for compliance; and\n       Statements regarding the consequences for non-compliance.\n\nA policy that does not include appropriate structure may not allow the policy to function as\nintended. Minimum standards provide consistency and protect the Corporation\'s interests.\n\n\n\n\n                                          Page 5\n\x0cCorporation SSDLC Methodology v. NIST SP 500-153\n\nGeneral Differences\n\nNIST SP 500-153, (Guide to Auditing for Controls and Security: A System Development Life\nCycle Approach) requires that the System Decision Paper, Audit Plan, Project Plan, User\nManual, and OperationsIMaintenance Manual be revised in various Phases, while the\nCorporation\'s SSDLC considers them complete after the first revision. The practice of\ncontinually updating the documentation ensures that all documents represent the product in its\ncurrent state. It also ensures that, as the development of the application progresses, the end\nproduct will be consistent with the stated requirements.\n\nIt is recognized that continual documentation efforts could consume a great deal of resources,\ndelay development, implementation, deployment, and complicate the task of maintaining\nrecords. The approach in the Corporation\'s SSDLC may be more practical. However, we\nrecommend that a mechanism for updating these documents be incorporated into the later\nphases of the Corporation\'s SSDLC.\n\nThe SDLC methodology in SP 500-153 places a greater emphasis on planning, design, and\ntesting than does the Corporation SSDLC. The SP 500-153 also imposes a greater burden on\nthe development process, but early planning clearly helps\n\n       avoid leaving out controls that are costly or impossible to add later,\n       improve code quality and robustness, and\n       ensure a smoother conversion and deployment.\n\nKPMG recommends that these issues be sufficiently addressed within documents already\nrequired by the Corporation, such as the System Specification.\n\n\n\n\n                                           Page 6\n\x0cPhase-by-Phase Comparison\n\nThe following table provides a side-by-side comparison of the Corporation\'s SSDLC phases\nagainst those in NIST SP 500-153.\n\nThe phases of the SSDLC vs. the NIST SDLC are:\n\n                                      Corporation                    NIST\n                                        SSDLC                        SDLC\n                Phase 1           Conceptual Design         Initiation\n                Phase 2           Planning                  Definition\n                Phase 3           Development               System Design\n                Phase 4           Implementation            Programming and\n                                                            Training\n                Phase 5           Post Implementation       Evaluation and\n                                  and System Support        Acceptance\n                Phase 6                                     Installation and\n                              I                         I   Operation\n\nEach table below is an analysis and comparison of the phases outlined in the Corporation\nSSDLC and in NIST SP 500-153.\n\n\n\n\n                                           Page 7\n\x0cConceptual Design Phase (SSDLC) v Initiation Phase (NIST)\n\nThe Corporation\'s SSDLC maps rather closely to the NIST SP 500-153 on the initial SSDLC\nPhases. In the Conceptual Design Phase, Management identifies the need for a system and\ndevelops a high-level work plan. SP 500-153 defines the Initiation Phase as identifying and\nvalidating the need, exploring alternative functional concepts, evaluating risks and performing\ncostlbenefit analysis.\n\n          Corporation SSDLC                                 NIST SP 500-153\nConceptual Design -Identify the need for       Initiation - Identify and validate need,\na system and develops a high-level work        explore alternative functional concepts,\nplan.                                          evaluate risks and perform costhenefit\n                                               analysis.\n\noutputs:                                       Outputs:\n       Needs Statement;                              Needs Statement;\n       Feasibility/Cost/Benefit Analysis;             Feasibility Study;\n       and                                            Risk Analysis;\n       High-level WorWProject Plan.                   CostlBenefit Analysis; and\n                                                      System Decision Paper.\n\n\nThe Conceptual Design Phase merges the Feasibility Study, Risk Analysis, and CostIBenefit\nAnalysis required by the Initiation Phase (NIST) into a single document and calls for a high-\nlevel WorldProject Plan. In the SP 500-153, the Project Plan is part of the second phase. The\nSP 500-153 also calls for a System Decision Paper that is not required by the Corporation and\nis presumably incorporated or implied by the WorWProject Plan.\n\n\n\n\n                                            Page 8\n\x0cPlanning Phase (SSDLC) v Definition Phase CNIST)\n\nIn the Planning Phase, system developers and users determine functional, quality, and\narchitecture requirements of the system identified in the conceptual design phase. They also\ndesign the system to meet those requirements, and plan for development and implementation.\nIn the Definition Phase (NIST), the participants (participants are not specified) define\nfunctional requirements, initiate planning of the system, identify security measure and control\nrequirements, develop a project plan for system development management with goals and\nactivities for all subsequent phases, and develop an Audit Plan.\n\n            Corporation SSDLC                              NIST SP 500-153\nPlanning -Determine functional, quality,      Definition - Define functional\nand architecture requirements of the system   requirements, initiate planning of the\nidentified in the conceptual design phase,    system, identify security measure and\ndesign the system to meet those               control requirements, develop project plan\nrequirements, and plan for development        for system development management with\nand implementation.                           goals and activities for all subsequent\n                                              phases, develop Audit Plan.\n\nOutputs:                                      Outputs:\n      Requirements Document;                        Audit Plan;\n      Architectural Model;                          Project Plan;\n      System Specification;                         Functional Requirements\n      Database Design Document; and                  Document;\n      Migration Strategy.                            Functional Security and Internal\n                                                     Controls Requirements Document;\n                                                     Data Requirements Document;\n                                                     Data SensitivityICriticality\n                                                     Description; and\n                                                     Revised System Decision Paper.\n\n\nWhile the Corporation\'s SSDLC Planning Phase involves system developers and users to\nchart the process of designing, implementing, and deploying the application, the SP 500-153\'s\nDefinition Phase does not define the participants and is still performing preliminary steps, and\naiming at addressing often ignored or postponed issues like controls, security, and audit.\nThese are important areas to address that are not spelled out in the Corporation SSDLC, but\ncould well be part of the Requirements Document and the System Specification. KPMG\nrecommends that covering these areas be mandatory in the Corporation SSDLC.\n\n\n\n\n                                           Page 9\n\x0cDevelovment Phase (SSDLC) v System Design Phase (NIST)\n\nThe Development Phase is where the actual code is designed, developed (written), and de-\nbugged. Training and reference materials are also developed during this phase.\n\n            Corporation\n                -        SSDLC                             NIST SP 500-153\nDevelopment -Code and test the system         System Design - Produce System /Design,\ndesigned in the planning phase and prepare    approve security specifications, identify\nfor training and implementation               Validation, Verification, and Testing goals,\n                                              and review and revise Risk Analysis and\n                                              Project Plan.\n\nOU~DU~S:                                      Outputs:\n    Detailed System Design;                         Revised Project Plan;\n    All required code, test data, data              Revlsed Audit Plan;\n    conversions, and system tests; and               Systern/Sub System, Program, and\n    User and Training Manuals.                       Database Specifications;\n                                                     Security and Internal Control-\n                                                     Related Specifications;\n                                                    Validation, Verification, and\n                                                     Testing Plan and Specifications;\n                                                     and Revised System Decision\n                                                     Paper.\n\n\nAlthough the goal of the SSDLC\'s System Design Phase is similar, it focuses on the design\n(no actual code is developed) and requires several specialized deliverables plus updates to the\nProject Plan, Audit, and Decision Paper. The NIST requirements are greater and more\nspecific than those in the Corporation\'s SSDLC. We recommend that the Corporation\'s\nSSDLC require security, audit, and internal controls be part of the Detailed System Design\nand that a Testing Plan be provided along with the tests and test data.\n\n\n\n\n                                          Page 10\n\x0cImdementation Phase (SSDLC) v Pronramminn and Training Phase (NIST)\nThe Implementation Phase is where the actual application is installed, tested, and accepted.\nPrior to this Phase, all code is completed and testing has begun. As part of the Implementation\nPhase, users are trained and enlisted to perform user acceptance testing.\n\n           Corporation SSDLC                                  NIST SP 500-153\nImplementation -Learn and test the              Programming and Training - Produce\nsystem to ensure it meets user                  programs ready for testing, acceptance, and\nrequirements. If the users accept the           installation, preparation of training, user,\nsystem, the system is installed and/or          and operational manuals, and a preliminary\nconverted to the new system.                    Installation Plan.\n\nOutputs:                                        Outputs:\n      User Acceptance Test; and                       User Manual;\n      Implemented/Installed/Tested                    Revised Audit Plan;\n      System.                                         OperationsIMaintenance Manual;\n                                                      Revised Project Plan;\n                                                      Validation, Verification, and\n                                                      Testing Plan and Specifications;\n                                                      Installation & Conversion Plan; and\n                                                      Revised System Decision Paper.\n\n\nThe corresponding NIST Phase stays one step behind by focusing at this time on code\ndevelopment, development of reference and training materials, updating the Audit Plan, and\nthe Project Plan. During this phase planning for the tests, the transition, and the conversion is\nalso completed. Some training is also conducted during this phase.\n\n\n\n\n                                           Page 1 1\n\x0cPost Implementation and Systems Support Phase (SSDLC) v Evaluation and Acceptance\nPhase NIST)\nThis is the final Phase under the Corporation\'s SSDLC. Operational policies and procedures\nare defined and updated during this Phase. All system maintenance, updates and\nmodifications, and assessments (auditslreviews) also take place in recurring fashion during\nthis Phase. These activities all produce output documentation that range from policy\nstatements to code updates.\n\n           Corporation SSDLC                                NIST SP 500-153\nPost Implementation and System                Evaluation and Acceptance - Conduct\nSupport -Continuously monitor the             integration and acceptance testing, an OMB\nimplemented system to ensure it measures      A-1 30 review, and produce an approval\nup to the expectations and requirements       letter from the responsible accrediting\ndeveloped in previous phases and to           official.\nenhance the system as needed to increase\nthe system\'s useful life.\n\n\noutputs:                                      Outputs:\n       Process andlor policies for                  Revised Audit Plan;\n       monitoring system, tracking                  Revised Project Plan;\n       modifications, interacting with              Revised User Manual;\n       users, requesting modifications, and         Revised OperationsIMaintenance\n       maintaining the system;                      Manual;\n       System modifications and updates;            Installation & Conversion Plan;\n       and System evaluations and                    Test Analysis & Security\n       reviews.                                      Evaluation Report; and\n                                                     Revised System Decision Paper.\n\nKPMG recommends that a requirement for the tracking and maintenance of these documents\non an on-going basis be added to this Phase. The corresponding development phase under SP\n500-153, the Evaluation and Acceptance Phase, focuses on analyzing tests, completing\nsecurity evaluation, updating Audit and Project Plans, User Manuals, and Decision Paper. An\nequivalent is not explicitly defined in the Corporation\'s SSDLC, We recommend that such a\nPhase be added either as a stand-alone or as the final part of the Implementation Phase.\n\n\n\n\n                                         Page 12\n\x0cInstallation and Operation\nThe NIST SP 500-153 defines this Phase as implementing the approved operational plan,\ncontinuing operations, budgeting and controlling all changes to the system throughout its life.\n\n    Corporation Structured Systems                    NIST Special Pub 500-153\n       Development Methodology\nNo corresponding phase.                       Installation and Operation - Implement\n                                              the approved operational plan, continue\n                                              operations, budget accordingly, and control\n                                              all changes to the system throughout its\n                                              life.\n\n                                               Outvuts:\n                                                      Revised Audit Plan;\n                                                      Revised Project Plan;\n                                                      Revised User Manual; and\n                                                      Revised OperationsMaintenance\n                                                      Manual.\n\n\nThis phase is more akin to some activities performed during the Post Implementation and\nSystems Support Phase defined in the Corporation\'s SSDLC. The deliverables from this\nPhase, other than the installed, operational, and maintained systems are all updates to\ndocuments produced in previous Phases.\n\n\n\n\n                                           Page 13\n\x0cMomentum and WBRS Application Development Methodology Review\n\nThe methodology followed in the development of the Momentum and WBRS applications\nwas reviewed as part of this Task. The goal was to document the process under the\nCorporation SSDLC and NIST Special Publication 500-153 to provide a comparison,\nillustrate strengths and possible weaknesses in the Corporation\'s SSDLC andlor its\napplication, and make any pertinent recommendations for its improvement.\n\nIn this portion of the Systems Development Life Cycle Review, we first compared the\nMomentum and WBRS application documentation to the Corporation\'s SSDLC. Secondly,\nwe compared the documentation of both applications to the guidance provided by NIST\nSpecial Publication 500-153. It should be noted that the intended scope of the SP 500-153 is\nto perform an NIST SDLC audit concurrent with the development of an application.\nHowever, because the scope of this SDLC review was performed on an existing system, this\nreview focuses on the documentation that was provided in response to the requirements of the\nmethodology.\n\nThe Momentum application is a commercial product implemented by the Corporation to\nreplace the old financial package, Federal Success. Momentum went into production in\nSeptember 1999 and therefore pre-dates the establishment of the Corporation SSDLC\'s\nmethodology as Corporation policy (effective 4/27/00). It is also important to note that being\na commercial product; the Corporation had limited control over the actual development of the\nsoftware. However, a great deal of documentation was collected showing good coverage of\nthe areas included in the SSDLC.\n\nAguirre International, a CNS Training and Technical Assistance Provider, developed the\nWBRS application. The initial WBRS pilots were launched in 1998. According to\nCorporation Management, by March of 1999 WBRS was in production in all states. This\ndeployment also pre-dates the establishment of the Corporation\'s SSDLC methodology.\nNonetheless, the Office of Information Technology (OIT) was able to either present\ncompleted documents or collect information that met the criteria for most SSDLC\nrequirements. Areas where coverage deficiencies were more noticeable include the lack of\nimplementation sign-off documentation and the lack of a documented migration strategy.\n\nWe found that significant emphasis was placed on important areas such as the development of\nmanuals, system documentation, and training materials. Considering that Momentum and\nWBRS were implemented prior to the effective date of the Corporation SSDLC policy, the\nprocess followed provides adequate coverage.\n\n\n\n\n                                          Page 14\n\x0cSummary of Notification of Findings\n\nA total of three Notification of Findings (NOFs) were issued during the course of the project.\nThe table below contains a synopsis of the findings and the recommendations documented in\neach NOF located in Appendix A.\n\n\nCondition                                      Recommendation\n\nIn the Corporation Structured Systems          Make the existing purpose statement for the\nDevelopment Life Cycle (SSDLC)                 3SDLC more specific. State specific policy\nmethodology, there is no statement of the      goals, document enforcement mechanisms,\ngoals of the policy, no enforcement            md consequences for not following the\nmechanism, and no statement of                 30licy, and add documentation references\nconsequences if the policy is not followed.    For further guidance.\n\nA stated goal of the Corporation Structured    The issue of insufficient guidance should\nSystems Development Life Cycle (SSDLC)         be addressed by providing appropriate\nmethodology is to provide guidance in          references either to internal guidance (e.g.,\nproducing methodologies specific to the        sample formats, output from previous\ndevelopment of applications. This approach     developments) or external documents (e.g.,\nis very accommodating, but the policy          NIST SP 500-153).\nlacks specific minimum requirements and\nprovides no uniformity to the application      Require a statement of compliance that\ndevelopment process. The guidance              describes how the SSDLC will be applied\nprovided is not enough to ensure that the      to a specific development. This statement\ncoverage for software development will be      should be brief and concise, perhaps a one\nadequate. Also, the guidance is vague          or two-page form that provides pre-defined\nregarding the process of approving the         options for each phase and space for\nvarious deliverables.                          comments and rationale for exceptions.\n                                               This should be reviewed and approved\nSpecifically missing is a requirement for a    prior to initiating procurement or\nRisk Analysis, a System Decision Paper,        authorizing an in-house development effort.\nand a formal Test Plan in the Corporation\'s    Accordingly, an approval process for\nSSDLC. In addition, the Planning Phase of      specific SSDLC Methodologies and other\nthe SSDLC does not explicitly address the      deliverables should be established.\nincorporation of controls, audit capabilities,\nand security measures.                         A high-level Risk Analysis should be\n                                               required within the Project Plan prepared\n                                               during the Conceptual Design Phase.\n\n                                               The WorkIProject Plan should address the\n                                               rationale for selecting the design approach\n                                               chosen for the application\n                                          Page 15\n\x0c                                              Recommendation\n\n\n                                              The System Design delivered as part of the\n                                              Planning Phase should explicitly address\n                                              controls, audit capabilities, and security.\n\n                                            The security and internal controls of every\n                                            application should be part of the Detailed\n                                            System Design. A formal Test Plan should\n                                            be provided along with the tests and test\n                                            data.\nThe Corporation\'s SSDLC considers that      An Evaluation and Acceptance Phase,\nmost development documents are complete similar to that described in SP 500-153,\nduring the beginning phases of the SSDLC. should be added after the Implementation\nThe SSDLC does not have a requirement to Phase. During this new phase the Detail\nre-visit these documents as refinements are System Design, the Audit Plan, all manuals\nmade to the system.                         and training materials should be reviewed\n                                            and updated. Just like the Evaluation and\n                                            Acceptance Phase in the NIST SP 500-153,\n                                            this new Phase should include an analysis\n                                            of all test results, a security review, and all\n                                            necessary sign-offs for the transition to and\n                                            operation of the new application.\n\n\n\n\nThis report is intended solely for the information and use of the Office of the Inspector\nGeneral, the management of the Corporation for National and Community Service, and the\nUnited States Congress and is not intended to be and should not be used by anyone other than\nthese specified parties.\n\n\n\n\nPartner,   PMG,   LLP\n\n\n\n\n                                          Page 16\n\x0c                      Notification of Findings                          Appendix A\n\nNotification of Finding: Missing statement of the SSDLC policy goals.\n\n\nCondition:\nIn the Corporation Structured Software Development Life Cycle (SSDLC) Plan, there is\nno statement of the goals of the policy, no enforcement mechanism, and no statement of\nconsequences if the policy is not followed.\n\n\nCriteria:\nOMB Circular A- 123, Management Accountability and Control\n\n\nCause:\nAlthough the more compact approach used in the Corporation\'s SSDLC provides a more\nfavorable balance between documentation and development effort than the NIST criteria,\nit lacks some important elements and should be updated. The policy as it stands is\nunenforceable, no responsibility over its enforcements is assigned, and there are no\nobjective criteria for establishing compliance even if it were to be applied.\n\n\nRisk:\nFailing to indicate policy goals, enforcement mechanism, and consequences for not\nfollowing a policy will weaken the requirement on all policies and directives. The\npurpose of a policy should not be to describe an approach; it should be to mandate\nminimum requirements.\n\n\nRecommendation:\nMake the existing purpose statement for the SSDLC more specific. State specific policy\ngoals, document enforcement mechanisms, and consequences for not following the\npolicy, and add documentation references for further guidance.\n\nGoals of the policy may include the following: Provide uniformity to the\nsystems/application development process, speed the development process, require\nadherence to standards and best practices, and provide guidance for the on-going\nmaintenance of applications. The remaining "boiler-plate" should clearly state the\nenforcement mechanism (e.g., all procurement packages will be reviewed and required to\ninclude an SSDLC methodology) and the consequences for non-compliance (e.g.,\nprocurement packages may not be processed without the required SDLC methodology).\n\n\n\n                                        Page A- 1\n\x0c                                                                      Appendix A\n\n                               Notification of Findings\n\n\nManagement Response:\n\nThis finding was discussed with Corporation Management on December 14,2000.\nComments from Corporation Management will be deferred until the final report is issued.\nThe Corporation\'s CIO does not agree with this finding.\n\n\n\n\n                                        Page A-2\n\x0c                                                                         Appendix A\n\n                                Notification of Findings\n\n\nNotification of Finding: The SSDLC is lacking specific minimum requirements and\nuniformity.\n\nCondition:\nA stated goal of the Corporation Structured Software Development Life Cycle (SSDLC)\nmethodology is to provide guidance in producing methodologies specific to the\ndevelopment of applications. This approach is very accommodating, but the policy lacks\nspecific minimum requirements and provides no uniformity to the application\ndevelopment process. The guidance provided is not enough to ensure that the coverage\nfor software development will be adequate. Also, the guidance is vague regarding the\nprocess of approving the various deliverables.\n\nSpecifically missing is a requirement for a Risk Analysis, a System Decision Paper, and a\nformal Test Plan in the Corporation\'s SSDLC. In addition, the Planning Phase of the\nSSDLC does not explicitly address the incorporation of controls, audit capabilities, and\nsecurity measures.\n\nCriteria:\nNBS Special Publication 500-153, Guide to Auditing for Controls and Security: A System\nDevelopment Life Cycle Approach (SP 500-153).\n\nCause:\nThe Corporation System Software Development Life Cycle methodology does not hlly\nconform to the criteria above. Although the more compact approach used in the\nCorporation\'s SSDLC provides a more favorable balance between documentation and\ndevelopment effort than the criteria it lacks some important elements and should be\nupdated.\n\nRisk:\nWithout uniform guidance the goal of uniformity might not be achievable, thus providing\nno clear reference to decide if a particular methodology complies with the policy or not.\n\nAlthough a Risk Analysis is no longer a requirement under OMB Circular A- 130, the\nCircular requires that the decision to implement security measures and controls be based\non the perceived risks to systems and applications. Without some kind of risk analysis, it\nmay not be possible to justify the use or non-use of a particular security mechanism\nduring a security review. Further, an understanding of the risk environment of a particular\n\n\n\n                                         Page A-3\n\x0c                                                                          Appendix A\n\n                                Notification of Findings\n\napplication is necessary to assess the appropriateness and cost-effectiveness of any\nsecurity measures.\n\nThe System Decision Paper, as defined in SP 500-153, discusses several examples of\ndesign approaches considered for application development. The Decision Paper\nhighlights the advantages and disadvantages of each approach and supports the selection\nof the approach chosen. Such a document helps maintain corporate history of the\nrationale for specific design decisions. The lack of this documentation may complicate\nlater efforts to update the application.\n\nIf security concerns, audit capabilities, and application controls are not considered and\nincorporated into the overall design, they may end up ignored completely or end up\nretrofitted into the application. This could result in a weaker, cumbersome application\nthat may be more costly to implement and operate in a safe manner. The possible lack of\nappropriate documentation of security measures and controls could make application\nsecurity and controls reviews more difficult and disruptive. It could also complicate\nsoftware updates and increase the possibility that further updates may conflict with\nexisting controls and security mechanisms.\n\nThe lack of a comprehensive Test Plan could make the testing and refining of the\napplication more difficult, time consuming, costly, disruptive, and controversial even if\nan appropriate battery of tests has been defined.\n\n\nRecommendation:\nThe issue of insufficient guidance should be addressed by providing appropriate\nreferences either to internal guidance (e.g., sample formats, output from previous\ndevelopments) or external documents (e.g., NBS SP 500-153, GAO Black Book, etc.).\n\nRequire a statement of compliance that describes how the SSDLC will be applied to a\nspecific development. This statement should be brief and concise, perhaps a one or two-\npage form that provides pre-defined options for each phase and space for comments and\nrationale for exceptions. This should be reviewed and approved prior to initiating\nprocurement or authorizing an in-house development effort. Accordingly, an approval\nprocess for specific SSDLC Methodologies and other deliverables should be established.\n\nA high-level Risk Analysis should be required within the Project Plan prepared during the\nConceptual Design Phase.\n\n\n\n                                          Page A-4\n\x0c                                                                        Appendix A\n\n                               Notification of Findings\n\nThe WorklProject Plan should address the rationale for selecting the design approach\nchosen for the application\n\nThe System Design delivered as part of the Planning Phase should explicitly address\ncontrols, audit capabilities, and security.\n\nThe security and internal controls of every application should be part of the Detailed\nSystem Design. A formal Test Plan should be provided along with the tests and test data.\n\n\nManagement Response:\n\nThis finding was discussed with Corporation Management on December 14,2000.\nComments from Corporation Management will be deferred until the final report is issued.\nThe Corporation\'s CIO does not agree with this finding.\n\n\n\n\n                                         Page A-5\n\x0c                                                                             Appendix A\n\n                                  Notification of Findings\n\nNotification of Finding: The SSDLC is missing a requirement to re-visit\ndocumentation as refinements are made to the system.\n\n\nCondition:\nThe Corporation\'s SSDLC considers that most development documents are complete\nduring the beginning phases of the SSDLC. The SSDLC does not have a requirement to\nre-visit these documents as refinements are made to the system.\n\nCriteria:\nNBS Special Publication 500-153, Guide to Auditing for Controls and Security: A System\nDevelopment Life Cycle Approach (SP 500-153).\n\nCause:\nThe Corporation Structured Software Development Life Cycle methodology does not fully\nconform to the criteria above. Although the more compact approach used in the\nCorporation\'s SSDLC provides a more favorable balance between documentation and\ndevelopment effort than the criteria it lacks some important elements and should be\nupdated.\n\nRisk:\nThe documentation prepared in the early stages of development of an application is likely to\ndepart from what ultimately is implemented. Failure to document the application as it is\ndelivered, not as designed, will complicate any efforts to enhance it, update it, or review it.\n\nRecommendation:\nAn Evaluation and Acceptance Phase, similar to that described in SP 500-153, should be\nadded after the Implementation Phase. During this new phase the Detail System Design,\nthe Audit Plan, all manuals and training materials should be reviewed and updated. Just\nlike the Evaluation and Acceptance Phase in the SP, this new Phase should include an\nanalysis of all test results, a security review, and all necessary sign-offs for the transition\nto and operation of the new application.\n\n\n\n\n                                            Page A-6\n\x0c                                                                      Appendix A\n\n                               Notification of Findings\n\nManagement Response:\n\nThis finding was discussed with Corporation Management on December 14,2000.\nComments from Corporation Management will be deferred until the final report is issued.\nThe Corporation\'s CIO does not agree with this finding.\n\n\n\n\n                                        Page A-7\n\x0c                                                                                                   Appendix B\n\n\n\n\n                                                                                  CORPORATION\n\n                                                                                  FOR K 4 T I O N A I\n\n\n\n\nApril 27,200 I\n\nThe Honorable Luise Jordan,\nInspector General\nCorporation for National and\n  Community Senice\nDear Ms. Jordan:\n\n     We have reviewed the draft audit repon Ke~ierc.uj\'the CbrpururionJbr iVurionul und\nCommunity Service \'.v System Developn~enrLife C:scle (OlG Report Number 01-35 dated December I I\n2000). We arc pleased that the auditors found that the Corporation\'s SDLC methodology provides a\ngood approach to system development.\n\n        The report contains some useful suggestions for impro\\ing the SDLC document, suggcstions\nthat we will take. However, we want to point out that the report is based on an aged and obscure\nstandard and. if fully implemented. would create a documcnt much too bureaucratic for an organization\nof our size and a document much more likely to hc ignorcd. The Corporation will incorporate in its\nSDLC the useful suggestions in a manner that will maintain the document\'s readabilit. and its\nfunctionality in our context.\n\n        Your report cites as the standard for judging our SDLC. NIST SP 500 - 153. by which we\nassume the auditors meant NSB SP 500 - 153 a Guide to Auditing for Controls and Security: A\nSystems Development Life Cycle Approach." No one in the Corporation was familiar with that\ndocument. We could tind no mention of that document in any document on the CIO Council\'s\nextensive web site. With some dificulty. we were able to tind the 1988 document offered for sale at\nNIST for $65. Where agencies have been instructed that this is the preferred model for an SDLC. we\ndo not know. We believe there is a reason no one has heard of the NBS document. It retlects the way\nin which large systems were built in the mid 1980s and it is a singularly unreadable document.\n\n       The Corporation drafted its SDLC about a ycar ago after reviewing about six such documents\nfrom other Federal and State entities. Our documcnt was craticd so that it \\vould be vety readable for\n\n\n\n\n                                              Page B-1\n\x0c                                                                                                  Appendix B\n                                                                                                           I\n\n\n\n\nour Irtrgcly non-technical audience. We kept it reasonably gcncric so that one policy would be equally\n>uitcd for use wirh major s)sten~s.which we develop only every few years. and with minor systcms\nthat \\\\c develop more often. We wanted all Corporation staff to he able to. in fact be required to. read\nthe document. undcrstmd it. and develop well thought out systems designs.\n\n        As supgestcd in the report. we will make roles. responsibilities. and expectations more explicit\nin our SD1.C. We will incorporate a requirement for a formal test plan and for a formal review of the\nsystem during its operational life. But we will not provide detailed guidance as to what those plans and\nreviews will encompass. As stated earlier. we want this document to serve equally well for systems\nlarge and small. And finally, we will not point the readers of our policy toward the almost\nimpenetrable NBS document.\n\n        We would like to thank KPMG\'s staff for their willingness to discuss this work with us during\nits development.\n\n                                              Sincerely,                       I\n\n\n\n\n                                              David N. Spevacek\n                                              Chief Information Officer\n\n\ncc:     Wendy Zenker\n        Hill Anderson\n\n\n\n\n                                                Page B-2\n\x0c'